Azure – Define a security baseline for Azure AD Administrators

A new security feature has been delivered in preview for Azure AD; a security baseline for any Azure AD Administrator.

This baseline will be enabled by default (during the preview you HAVE to enable it) and is going to request multi-factor authentication (MFA) for any privileged account like:

Global Administrator

Service Administrator

SharePoint Administrator

Exchange Administrator

Conditional Access Administrator

Security Administrator

To enable/disable (while not recommended) the security baseline go to your Azure or Azure AD portal with a global administrator account and reach the Conditional Access configuration blade

Then you should have the Basline policy: Require MFA for admins policy

If you edit the policy you will be able to enable/disable it as well as define excluded users/groups (don’t forget to exclude the account you may use for Exchange Hybrid endpoint ); this is recommended to have a least one GA account not impacted by the baseline policy (off course you will need to have a very strong and secure password and keep it in a safe place).